Post subject: Snort doesn't see new NIC Posted: Mar 16, 2007 - 11:40 AM
Joined: Mar 16, 2007
Did a clean install of Windows 2000 on a new Dell PC with a single onboard (Broadcom) NIC. Followed installation procedure for Snort, BASE, MySQL and Apache and everything worked fine.
After further study on how I was going to deploy the NIDS, I built a passive ethernet tap (as found at http://www.snort.org/docs/tap/) and placed it between the firewall and the switch on the firewall's trusted interface. I then added a dual port Intel NIC to the snort box (giving it a total of 3 ethernet ports) and connected the two ports on the dual port NIC to the two ports on the tap and the Broadcom NIC to a regular switch port. My thinking being that snort could monitor both incoming and outgoing traffic on the dual port NIC and I could access the box remotely through the Broadcom.
Following all of this, I did a command line 'snort -W' and snort only sees the Broadcom NIC. How do I get it to see the other two ports I want it to monitor on?
Is this going to work? I've looked around the site and I've seen some suggestion that each instance of snort can only monitor a single NIC.
Thanks for any assistance you can provide.
Post subject: RE: Snort doesn Posted: Mar 17, 2007 - 05:53 AM
Joined: Sep 04, 2003
East Coast - USA
Location: East Coast - USA
Snort is only capable of monitoring on a single interface. You can run a second or third instance of snort for additional NIC's.
I'm not sure as to why the -W switch is not seeing all your NIC's but drivers or legacy cards are the usual problem.